Main section

On-Premises Certificate Lifecycle Management

Run SwissSign CLM inside your own network perimeter, with credentials and data that never leave your infrastructure. Built for large, regulated and deeply integrated environments.

  • CLM operates within your network perimeter

  • Admin credentials never leave your infrastructure, zero-trust compliant

  • Direct integration with internal systems (LDAP/AD, F5, ITSM, CMDB)

Certificate Lifecycle Management with maximum sovereignty and customisation for enterprise-level business continuity and security

Get in touch Try evaluation licence

For whom our On-Premises CLM works best

Compliance, audit or infrastructure rules require running inside your own perimeter

Regulated industries (finance, public sector, healthcare, energy, critical infrastructure)

You need deep integration with internal AD / F5 / ITSM / CMDB

You require strict network segregation or air-gapped zones

On-Premises CLM Architecture

 

  • Centralised management platform: single point of control for discovery, inventory, lifecycle, compliance and governance

  • Multi-module: connect multiple CAs and enrolment interfaces simultaneously with consistent policy enforcement

  • Profile-based model: central policy changes that don't disrupt consuming systems

  • Lightweight agents (Windows/Linux): discovery and end-to-end lifecycle actions on target systems; agents translate between CLM APIs and legacy protocols, provide centralised visibility and work offline

  • All capabilities via REST API, with RBAC enforced across UI, WebRA and API

  • Connectivity: supports both outbound (platform → your systems) and inbound (your systems → platform APIs). You manage firewall, allowlisting and routing

When On-Premises is the better fit

  • Choose On-Premises when security or compliance teams do not allow credentials, service accounts or automation paths to be managed from a cloud-hosted platform

  • Choose On-Premises when deep internal integrations, isolated network zones or direct access to internal production systems cannot be exposed via customer-side agents or connectors

  • On-Premises keeps the CLM platform, credentials and direct LDAP/AD, F5, ITSM and CMDB integrations inside your infrastructure

Smaller, public-certificate estates are usually better served by our Cloud model. Unsure? Use the deployment selector

Automate now – start with our evaluation licence!

 

Manage your full PKI and integrate CLM into your infrastructure with maximum security and sovereignty.

Get in touch with our Sales team or try our CLM with our Evaluation Licence

  • Dedicated SwissSign-hosted tenant for our Cloud CLM (Evertrust Horizon)

  • 60 days, up to 20 certificates

  • 4 hours of Professional Services support, including a kick-off meeting

  • Convert to production seamlessly: if you sign within 30 days of expiry, the tenant is reused, no migration

Note: the evaluation does not include Private PKI.

Discuss with Sales Start evaluation

How does the On-Premises CLM integrate into your infrastructure?

 

  • Load balancers / ADC / network: F5 BIG-IP (iControl REST, AS3), Citrix ADC (NetScaler), Fortinet FortiGate, Cloudflare

  • WAF / security: Ergon Airlock

  • DNS (provisioning & ACME DNS-01): EfficientIP, Infoblox, RFC 2136, AWS Route 53, Cloudflare, Azure DNS, Google Cloud DNS

  • PKI / CAs: Microsoft ADCS, Evertrust Stream, SwissSign, DigiCert, Entrust, Sectigo, ACME providers (e.g. Let's Encrypt), EJBCA

  • Containers: Kubernetes (cert-manager, secrets update, hot-reload), OpenShift

  • Cloud vaults: AWS Secrets Manager / ACM, Azure Key Vault, Google Cloud Certificate Manager

  • MDM: Microsoft Intune (SCEP & PKCS), Jamf Pro, MobileIron / Ivanti

  • DevOps: Ansible (full collection), Terraform (provider)

  • ITSM: ServiceNow (change-request workflow), Jira

  • SIEM / logging: Splunk, IBM QRadar

  • IdP: OIDC (Entra ID, Okta, Keycloak), SCIM v2

  • HSM / KMS: Thales, Securosys, Azure Key Vault

  • Directory: Microsoft AD, LDAP publishing

  • CBOM: import/export of Cryptography Bill of Materials

  • Automation protocols: ACME, EST, SCEP, WSTEP/MS WCCE, MDM, Intune, agents

Built for regulated industries

SwissSign operates under Swiss jurisdiction with Swiss hosting and is well positioned for FINMA, DORA and NIS2 expectations as well as GDPR and nDSG

  • CA/Browser Forum
  • ISO/IEC 27001
  • EPDG - IdP
  • ZertES
  • eIDAS

How does the implementation work?

  • Many organisations implement our CLM on their own

  • We offer a range of services (via separate SOWs) to support you (onboarding, PKI integration support, workflow customisation, API integration, migration, discovery optimisation, training and workshops)

  • Organisations also chose to work with their trusted IT integrator

Ready to bring certificate automation inside your perimeter?

Shrinking certificate lifetimes and post-quantum migration demand automation, but regulated, deeply integrated estates need it on their own terms. Run SwissSign CLM inside your network, with credentials and data that never leave your infrastructure. Talk to our experts about your deployment, or start with an evaluation licence.

Discuss with Sales Try evaluation licence

Frequently Asked Questions

Agents are designed to work offline and keep credentials inside your perimeter.

No, you (or your chosen partner) operate it within your infrastructure; SwissSign and partners provide implementation and support.

Yes; migration and PKI-consolidation workflows are supported via Professional Services.

Our CLM is built for large-scale estates: a standard deployment can manage up to around 200,000 certificates, while high-availability or distributed deployments can scale to tens of millions.